From cdb15cc0d03d0555b7c6070e832c46f1de39aead Mon Sep 17 00:00:00 2001 From: Bauke Date: Fri, 31 Jan 2025 19:30:02 +0000 Subject: [PATCH] Disallow a user from banning themselves. Closes tildes-community/tildes-cf#9 See merge request tildes-community/tildes-cf!12 --- tildes/tests/conftest.py | 36 +++++++++++++++++++++++- tildes/tests/webtests/test_admin_user.py | 18 ++++++++++++ tildes/tildes/templates/user.jinja2 | 2 +- tildes/tildes/views/api/web/user.py | 4 +++ 4 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 tildes/tests/webtests/test_admin_user.py diff --git a/tildes/tests/conftest.py b/tildes/tests/conftest.py index fe87bda..52c6768 100644 --- a/tildes/tests/conftest.py +++ b/tildes/tests/conftest.py @@ -15,8 +15,9 @@ from testing.redis import RedisServer from webtest import TestApp from scripts.initialize_db import create_tables +from tildes.enums import UserPermission from tildes.models.group import Group -from tildes.models.user import User +from tildes.models.user import User, UserPermissions # include the fixtures defined in fixtures.py @@ -172,6 +173,25 @@ def session_user2(sdb): yield user +@fixture(scope="session", autouse=True) +def session_admin_user(sdb): + """Create a third user named 'AdminUser' in the db for test session. + + This user is granted all available user permissions. + """ + user = User("AdminUser", "admin user password") + for permission in UserPermission: + user_permission = UserPermissions() + user_permission.user = user + user_permission.permission = permission + sdb.add(user_permission) + + sdb.add(user) + sdb.commit() + + yield user + + @fixture(scope="session", autouse=True) def session_group(sdb): """Create a group named 'sessiongroup' in the db for test session.""" @@ -220,6 +240,20 @@ def webtest(base_app): yield app +@fixture(scope="session") +def webtest_admin(base_app): + """Create a webtest TestApp and log in as the AdminUser account in it.""" + app = TestApp(base_app, extra_environ=WEBTEST_EXTRA_ENVIRON) + + # fetch the login page, fill in the form, and submit it (sets the cookie) + login_page = app.get("/login") + login_page.form["username"] = "AdminUser" + login_page.form["password"] = "admin user password" + login_page.form.submit() + + yield app + + @fixture(scope="function") def webtest_loggedout(base_app): """Create a logged-out webtest TestApp (function scope, so no state is retained).""" diff --git a/tildes/tests/webtests/test_admin_user.py b/tildes/tests/webtests/test_admin_user.py new file mode 100644 index 0000000..373f7b7 --- /dev/null +++ b/tildes/tests/webtests/test_admin_user.py @@ -0,0 +1,18 @@ +# Copyright (c) 2025 Tildes contributors +# SPDX-License-Identifier: AGPL-3.0-or-later + + +def test_ban_button_hidden_from_self(webtest_admin): + """Test that the Ban button is hidden on a user's own profile.""" + profile = webtest_admin.get("/user/AdminUser") + assert profile.status_int == 200 + assert profile.text.count("Ban user") == 0 + assert profile.text.count("Unban user") == 0 + + +def test_ban_button_shown_for_other_user(webtest_admin): + """Test that the Ban button is shown on a different user's profile.""" + profile = webtest_admin.get("/user/SessionUser") + assert profile.status_int == 200 + assert profile.text.count("Ban user") > 0 + assert profile.text.count("Unban user") == 0 diff --git a/tildes/tildes/templates/user.jinja2 b/tildes/tildes/templates/user.jinja2 index 6d19357..1a0e041 100644 --- a/tildes/tildes/templates/user.jinja2 +++ b/tildes/tildes/templates/user.jinja2 @@ -189,7 +189,7 @@ Send a private message {% endif %} -{% if request.has_permission("ban", user) %} +{% if request.user != user and request.has_permission("ban", user) %}
{% if user.is_banned %}